A botnet is a one-to-many control network formed between an attacker and infected hosts after the attacker uses one or more propagation approaches to make a large quantity of hosts infected with a bot program, for example, sending a malicious file to a large quantity of hosts so that the hosts are infected with a bot program when receiving and running the malicious file. The infected hosts are zombie hosts. The attacker may control the zombie hosts in a one-to-many manner using command and control (C&C) channels. The botnet forms an attack platform, and using this platform, various cyberattack behaviors may be initiated, resulting in a breakdown of an application system of an attacked object, a leakage of personal privacy, and the like. These cyberattack behaviors include, for example, using the botnet to send spam to an attacked object or stealing a secret. Compared with a conventional behavior that the attacker attacks the attacked object using a single host, the botnet may cause more severe damage to the attacked object.
In other approaches, after a malicious file is detected, a bot characteristic is identified and extracted from the malicious file usually through manual analysis, and a malicious file received later is filtered out and blocked based on the bot characteristic. However, to evade detection, the attacker usually modifies a malicious file relatively frequently, and a large quantity of variants of the malicious file may be easily generated. The foregoing bot characteristic extraction method is relatively inefficient, and cannot be applied on a large scale.